Legal Framework
The legality of RE is not assured a priori:
varies with jurisdiction;
varies with what is being reversed;
varies with the purpose of the RE activity;
varies with the impact on the product owner.
Applicable legislation:
USA: Digital Millennium Copyright Act;
EU: EU Directive 2009/24.
This only applies to third parties.
Product owners are free to use their own products as they see fit.
RE for the purpose of Software Quality Control.
Allowed situations (Europe, Directive 2009/24/EC)
The unauthorized reproduction, translation, adaptation or transformation of the form of the code in which a copy of a computer program has been made available constitutes an infringement of the exclusive rights of the author.
... circumstances may exist when such a reproduction of the code and translation of its form are indispensable to obtain the necessary information to achieve the interoperability of an independently created program with other programs.
... in these limited circumstances only, performance of the acts of reproduction and translation by or on behalf of a person having a right to use a copy of the program is legitimate and compatible with fair practice…
Article 5 b): To learn
The person having a right to use a copy of a computer program shall be entitled, without the authorisation of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do.
Broad Interpretation: if you own a legitimate copy of the software, and are able to load it/run it/etc… you may analyze it for the purpose of learning.
Caveats:
Replicating an algorithm may not be allowed, as a copy of the work infringes the copyright.
Copy protection mechanisms cannot be overcome.
If there is a copy protection and you cannot freely execute the program, you do not have authorization to use it.
Methods for bypassing protections are not legal.
Crackers, keygens.
EULAs cannot restrict RE tasks
Article 6: Decompilation is generally allowed for the purposes listed in this directive, but mostly focusing on interoperability
Allowed when indispensable to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs.
Provided that the following conditions are met:
those acts are performed by the licensee or by another person having a right to use a copy of a program, or on their behalf by a person authorized to do so;
the information necessary to achieve interoperability has not previously been readily available to the persons referred to in point (a);
those acts are confined to the parts of the original program which are necessary to achieve interoperability.
Allowed situations (USA, DMCA)
Interoperability: even circumventing DRM.
Encryption research: if the protection prevents the evaluation of the technology.
Security testing: determine if a software is secure and to improve it.
Regulation: to limit what information is presented to minors.
Government Investigation: government agencies are not affected.
Privacy protection: users may reverse and circumvent data gathering technologies.
EULAs may restrict RE actions, although this is not guaranteed by law.
Last updated